I would have thought if they really had a US govt / CIA / military / espionage customer, said customer would NOT want them to reveal ANYTHING about the exploit to Google nor the public, especially not its existance. So, they told us that there is an exploit, and now it's top hax0r news, might likely feature in mainstream news. Most sensible people will most likely hear of it, and will disable flash / plugins in chrome until someone fixes it. Any worthy target for netspionage with any money and brain will hear about it immediately, and quit using chrome for lynx, dillo, or something even simpler.

Anyone who uses such a large app as a modern over-engineered web HTML5 bugzilla-feeding browser is kissing security goodbye forever. GNU ls(1) may have security bugs FFS, do you think your browser doens't? Do they include Chrome or Firefox in the 'pretty secure' OpenBSD base install? No, no, they do not nor never will do this, although it is a most popular app!! (also because nearly all *BSD boxes become servers, but you get my drift.) Even if Chrome were regarded as an essential system service for every box to run, they would NOT include it! better the system grind to a halt by itself without yielding access.

Google will redouble Chrome's general security and sandbox security in a push-patch, and this will most likely break the hack. Or they will rediscover it. LOL at your short-lived hack, your Government _will_ be pleased that you disrespected their payment and trust, boasting about it everywhere, putting Google and their targets on red-alert.

The 'secret black ops' part of Government would not only be displeased, they would kick their ass so damn hard for revealing that there is an exploit, that they would not be able to discover more exploits for years due to severe ass damage pain.

They pay you to learn stuff so we can do espionage or whatever fuckdoggery they might be intending at poor Arab countries to steal their oil, or suchlike... Then this silly idiot hacker company posts 'woohoo we found an exploit, look at us: but we can't tell you how it works - 'tis just for our pals in the govt'. Then the presumably nasty branch of govt gets out the concrete mixer and applies the concrete slippers - national borders not being much of an obstacle - then tosses the talkative hackers into the middle of the pacific trench (there's deep water there). They are then eaten by those nasty deep-sea fish with big teeth, and lights on stalks to freak us out.

So anyway, this 'half-secret hack' business reeks deeply of bullshit to me.

For some real bullshit, forget everything else I said. Windows is the utter pinnacle of bullshit for security, full stop. I understand that certain few idiots among the population do use it for playing games, and watching porn, and trying to be hackers, and in offices, but seriously: if you use Windows, any edition of Windows, for your own security, you obviously have not a clue nor give a real fuck about your security at all. Your password is probably 'dog' or 'cat'. OS X and Linux are barely any better for security.

If you want real security, throw away all the public and commodity crap operating systems and build your own. Or pay someone smart to build it. If it takes you less than 5 years to debug it before deployment, or it's more than 100KB of code in total size, I guess you failed: it's not secure. I'll give you a hint. Every process in the system should have access to precisely nothing by default. Not even the CPU, not even the time of day. Every single resource that is needed must be introduced to the process's environment by a neighbor or parent process (if possible, and in most cases it should not be). The entire system, especially process / resource structure, privilege and connection must be visible as a nested, nodes-and-arcs graph, for the user / sysop to verify and check what the hell is going on in it. If there's no link from Chrome to your printer, and you've disabled changes to that part of the process structure, Chrome will not ever print anything unless there's a solar storm - or similar stimulus - that miraculously alters everything without crashing it. You ANTICIPATED THAT UNLIKELY EVENT, and made 3 or 4 systems running everying exactly the same, in parallel, in sync at each step. If one screws up due to solar fuckdoggery, throw it in the bin and swap in another (like RAID). They do this shit in planes I believe, not the swap in bit, until it lands. The solar demons won't miraculously pseudo-break them all at once in the SAME WAY.

Windows, Microsoft, Security - can you spot the odd one out? Can you see a juxtaposition here folks? Can you feel it? A disturbance ripples through the force, out through the local cluster (of galaxies) and back, because those three words were collected together in one place.

No amount of ill-acquired M$ money spent on Windoze security enhancements can break their appallingly bad track record for security holes, loss of privacy, and the happy virus cultivation ecosystems that Microsoft has consistently provided over the years with every version of Windows, almost from before viruses were invented. I think the first well-made and famous exploit came well before windows was conceived, I'd suggest Ken's cc hack. That's the first brilliant exploit I happen to know about - from the vendor himself, sly bastard. It's hard to believe he didn't go to jail for that, anyway, heh.

So yeah - VUPEN, Chrome, Windoze, haX0Rz working for the Big-G Government. LOL. Security Jokes all around. Chrome being the more respectable and secure among them in my opinion. And anyone who runs a nuclear reactor that depends for its stability or continued safe operation on a computer is a cow-tipping idiot too. Cars don't even. @stuxnet @.mil

Did the .gov pwn TPB and put their exploit up there?

These things should not in my opinion be disclosed to (the idiot skript kiddie segment of) the public before the vendors have been given a good long window to fix them.

I prefer what VUPEN does when compared to irresponsible discoveries by black hats who do not give a shit about the integrity of the installed product and privacy / safety / security of how many millions of users, who can then be screwed over by every skript kiddie and his dog because they released the info straight to the public.

Sure, if the vendor has absolutely ignored you and your loud demos of the bug, and won't respond to threats to release, you might release the exploit to a small segment of the IRREPROACHABLE VANILLA WHITE HAT security community with the intention that they might help persuade the vendor to take it seriously. That's about as far as I'd want go with releasing serious exploits. Although of course grey/black hat stuff is fun - look, mum, I have a cool exploit!

If VUPEN are sworn to secrecy by their Government customer, and cannot tell the vendor or help them fix the bug, maybe it's time to get a new Government and public service. Your Government (US arrogances with a captial G) is trying to pwn you and spy on you. Fuck that, the government should answer to the will of the people (and don't talk to me about the farce we call democratic election. Democracy is where (almost) all the people are deeply involved in determining policy, it's more like the ideal soviet system, really, which was not realized AFAIK.)

Anyway, isn't that why you're carting guns around all these years, in case your (US) Government turns nasty and starts pwning your ass up down right and left with a canoe? (Not that it wasn't already.) Yes indeed, guns!! However let it not be said that I am inciting violent revolution with this sarcastic post, as I don't believe in or wish to promote that or any violent act.

Poor Google, not enough money. LOL!

Comments URL: https://news.ycombinator.com/item?id=2529879

Points: 1

# Comments: 0

Comments URL: https://news.ycombinator.com/item?id=2529750

Points: 1

# Comments: 0